I can reproduce the issue by following these steps with a website I host:
Click a link to the website from any external site
Submit an AJAX form that returns a Set-Cookie header with the SameSite=Strict attribute
At this point I can confirm that the cookie is set by looking in chrome://settings
Reload the page
On step 3, the cookie is not sent with the request. The devtools network tab shows
The cookie was blocked because it had the "SameSite=Strict" attribute and the request was made from a different site. This includes top-level navigation requests initiated by other sites.
Is this the correct behavior for SameSite=Strict cookies? I understand why the cookie would not be sent with the initial request in step 1 (since it originated from a different site), but I expected that an explicit reload triggered by a user would be considered a same-site request.
Related
I've noticed in Chrome's dev tools, when you make a request to a url that ends up returning you a 301 redirect the following happens:
The original request (a POST in this example) is written to the Network tab
The server returns a 301 redirect to a different URL
The original request details in the Network tab are overwritten with the redirect request, which is a GET request to the redirect URL
You can see the original request briefly before it is overwritten by the redirect. Is there anyway to preserve the original request details in the Network tab?
Update:
Here's a video of the behavior.
You'll see when I hit the "Connect" button a new entry is added to the list of requests (to "/acl?apiKey=[whatever]"). When the server returns a redirect (to "/redirect?code=[whatever]") that requests overwrites the original request in devtools, making it impossible to see the details of that original request.
As part of email signup process, I send a url in an email. The client should click it, my server applications sends a 303 response redirecting the client to the home page and the browser should open the home page. But this isn't happening. I am unable to debug whether this is a browser issue or web-server issue.
in this pic, you could see that on clicking the url, a request GET is sent and 303 is received
Here, I don't see any request going out (I see request headers but I am not convinced that the request was sent). In the timing tab, it looks as if the request is stalled
It seems the issue was the way I was redirecting. In of redirecting using absolute path Redirect("http://localhost:9000/home"), I wasn't using http i.e. Redirect("localhost:9000/home") which made the path relative. The initial request was http://localhost:9000/ws/users/signup/ and the new request after redirect became http://localhost:9000/ws/users/signup/localhost:9000/home which probably messed up something in the browser.
I'm trying to create a http POST request using POSTMAN to this URL:
http://www.mfinante.ro/agentinume.html?pagina=domenii
on the codFiscalForm from HTML.
I set the input name=Oracle and judet=BUCURESTI and I'm receveing a piece of HTML, where I don't have the information I need (a HTML table form).
What I am doing wrong?
The reason of missing HTML table data in HTTP response is: The POST /numeCod.html request (action of codFiscalForm) is protected by TS*** Cookies. In POST /numeCod.html request, if TS*** Cookies, such as TS018732dc, TS5d0550f8_27 etc. are missing or incorrect, the request would be rejected by server.
When is TS*** Cookies retrieved/updated?
TS*** Cookies are retrieved or updated when you open webpage /agentinume.html?pagina=domenii. Please note all HTTP responses when open /agentinume.html?pagina=domenii will set/update TS*** Cookie, including responses of .js, .png files request.
When the result page is opened after submitting form, the TS*** Cookies are updated again.
How to confirm TS*** Cookies are critical for retrieving data?
On webpage, before click button VIZUALIZARE, you can open browser debug tool, such as Chrome DevTools, and delete one TS*** Cookie in panel Application - Cookies. After that, click button VIZUALIZARE will lead to an HTML page without table data.
Why Postman does not work even when TS*** Cookies are defined in headers?
Because TS*** Cookies keep changing, it is very difficult (if not impossible) to get the latest valid TS*** Cookies programmatically.
Suppose I make a webpage that includes
<iframe src="http://google.com"/>
and a user browses through that iframe. Does Google see the request made from the server I'm hosting my site on, or from the user's router?
You do NOT load content of iframe source from your server. You just pass that code to the user browser then everything happens on client side. Therefore google will see client ip address and etc.
When one website is called through another domain whether iframe or not, browsers send current domain name to the next target (google.com in your case) with HTTP Referrer data. This is the only way of google.com to understand where the client request google from.
Details : What is the HTTP Referer if the link is clicked in an <iframe>?
I have a page on domain A which loads a webworker script from domain B. The webworker is fetching some PNGs from doman A's server.
In Firefox, the request to get the PNGs contains the cookie for my site (domain A).
In Chrome, it does not include the cookie for my site, and so fails because the request must be coming from a logged in user (which requires the session cookie to be sent in the request).
Which browser is behaving correctly, and can I do anything to make Chrome send the cookie for the current domain from within a webworker?
UPDATE:
I pulled all the files from domain B and hosted them on my server at domain A, so the webworker file is now on the same domain as the site itself, but Chrome still does not send the session cookie with the requests from the web worker.
With regards to the first problem, it looks like the Firefox is incorrect, you shouldn't be able to instantiate a Worker on another domain to quote the spec:
"If the scheme component of worker URL is not "data", and the origin
of worker URL is not the same as the origin specified by the incumbent
settings object, then throw a SecurityError exception and abort these
steps."
With regards to Chrome the Workers run in a separate they work for me and without seeing more code it's hard to answer. But if you visit this demo and break before the postMessage to the worker set document.cookie='test=1' you will see that when the request goes out from the worker it is set.